CRITICAL🇵🇱 Wersja polska

CVE-2026-24800

CVSS 10.0v4.0pub. 2026-01-27upd. 2026-04-15

Out-of-bounds Write, Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in tildearrow furnace (extern/zlib modules). This vulnerability is associated with program files inflate.C.

🤖 AI Analysis
How it works

The vulnerability results from the lack of input data size verification during copying to a buffer (CWE-120) and writing outside the boundaries of allocated memory (CWE-787, Out-of-bounds Write). The error is located in the inflate.C file, which is part of the embedded external zlib module. An attacker can provide specially crafted input data causing memory to be overwritten outside the intended buffer.

Impact

Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code remotely (RCE) in the context of the application process or destabilize its operation. Due to the network vector and lack of authentication requirements, the threat affects the confidentiality, integrity, and availability of the system.

Mitigation & patch

Patches available from the vendor should be applied according to the references — fix available in pull request #2471 in the tildearrow/furnace GitHub repository.

Who is affected

tildearrow furnace software — versions containing the vulnerable extern/zlib module (inflate.C file); specific versions indicated in vendor references (pull request #2471).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:D/RE:L/U:Red
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Memory
CWE
References